Make Tech Easier - Friday, June 1, 2018 at 11:25 AM
The Router-Based Malware “VPNFilter” and How to Protect Yourself
Recently there’s been a somewhat worrying public service announcement from the
FBI that everyone should reboot their
routers<https://www.ic3.gov/media/2018/180525.aspx>. They advise to do this to
prevent a nasty piece of router malware from taking hold of your hardware.
Given how this is large enough for the FBI to give a public service
announcement, it can be unsettling to think about what might be lurking within
your router. So, what is it, and what can you do? Let’s break down this new
threat to see what it is, how it works, and what you can do to protect yourself
from it.
Related: 4 of the Best Travel Routers You Need to Bring Along on Your
Trip<https://www.maketecheasier.com/best-travel-routers/>
What Is It?
<p></p>
The malware in question is called “VPNFilter.” Despite its innocent-sounding
name, it’s anything but! Its main attack vector involves burrowing into the
routers of homes and small businesses. It’s also designed to stay within the
router after it has been rebooted, making it a particularly stubborn example of
malware.
VPNFilter is spread by targeting routers with known flaws and weaknesses, and
Ukranian-based devices are the most targeted out of all the countries. The
origins of VPNFilter all point to a group called
“Sofacy”<https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected>
that developed the code and spread it worldwide.
What Does It Do?
<p></p>
So once this new malware gets into a router, what does it do? VPNFilter is
quite advanced and deploys its payload over three stages:
1. The first stage is where the malware installs itself on a vulnerable
router and sets itself up to persist even after the router has been turned off.
2. Once the first stage is installed properly, the second stage begins. This
involves installing the capacity for VPNFilter to execute commands, collect
files, and manage the router. It has enough control over the router that it can
permanently damage the router’s system files (known as “bricking”) on command,
if need be.
3. Once stage 2 has been properly deployed, stage 3 acts as a plugin
installation on top of stage 2. Stage 3 allows the hackers to look inside the
packets being passed through the router, where data is being transferred. It
also grants stage 2 the ability to communicate over Tor.
When the router is powered on and off, stages 2 and 3 are wiped, but the “seed”
that was set up during stage 1 persists. Regardless, the most damaging part of
the VPNFilter malware is reset, which is why people have been told to do a
restart on their routers.
Does It Affect All Routers?
<p></p>
Not every router can be hit by VPNFilter. Symantec goes into detail on which
routers are
vulnerable.<https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware>
To date, VPNFilter is known to be capable of infecting enterprise and small
office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as
well as QNAP network-attached storage (NAS) devices. These include:
* Linksys E1200
* Linksys E2500
* Linksys WRVS4400N
* Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
* Netgear DGN2200
* Netgear R6400
* Netgear R7000
* Netgear R8000
* Netgear WNR1000
* Netgear WNR2000
* QNAP TS251
* QNAP TS439 Pro
* Other QNAP NAS devices running QTS software
* TP-Link R600VPN”
If you own any of the above devices, check your manufacturer’s support page for
updates and advice about defeating VPNFilter. Most should have a firmware
update that should protect you entirely from VPNFilter’s attack vectors.
Is It Unfixable?
Luckily, despite the fact it sounds as if VPNFilter will be in routers forever,
there are ways to get rid of it. While VPNFilter ensures it persists through
the router being powered down, it can’t live through a factory reset. If you
put your router through one of those, the malware will get caught up in the
wipe and effectively be scrubbed out of your router.
Once done, be sure to change your network credentials and disable remote
management settings as well. Your details may have been leaked out in the
attack, and preventing remote access can stop a future attack from reaching
your home PCs and devices.
Vaporising VPNFilter
While VPNFilter is a nasty piece of kit that has elevated itself to the
interest of the FBI, it’s not unbeatable! By doing a factory reset, you can
clear your router of any malware. Plus, if your manufacturer has pushed out an
update, you can avoid being infected again later down the line.
Does VPNFilter affect you in any way? Let us know below.
Image credit: Router<https://www.flickr.com/photos/declanjewell/2535985009/>,
closeup of a wireless router and a man using smartphone on living room at home
ofiice
<https://www.shutterstock.com/image-photo/closeup-wireless-router-man-using-smartphone-538032022>
by Casezy idea/Shutterstock
https://www.maketecheasier.com/router-based-vpnfilter-malware/
David Goldfield
Assistive Technology Specialist
Feel free to visit my Web site
WWW.DavidGoldfield.info<http://WWW.DavidGoldfield.info>